auparse_flush_feed - Linux

Overview

auparse_flush_feed is a Linux command used to flush audit records from a user-supplied feed into the Linux audit system for processing. This is primarily useful when integrating external audit event sources with the Linux audit framework.

Syntax

auparse_flush_feed [options] [feed=<feed_dir>]

Options/Flags

• -t, –timeout=: Timeout (in seconds) to wait for audit records to be written to disk. Default: 10
• -v, –verbose: Increase the logging verbosity level.
• -h, –help: Display usage information.

Examples

Flush audit events from a specified feed directory:

auparse_flush_feed feed=/path/to/feed/directory

Flush audit events from the default feed directory with a longer timeout:

auparse_flush_feed -t 30

Verbosely flush audit events from a specified feed directory:

auparse_flush_feed -v feed=/path/to/feed/directory

Common Issues

• Insufficient permissions: Ensure the user running auparse_flush_feed has sufficient permissions to access the specified feed directory.
• Feed directory not found: Verify that the feed directory specified in the -feed option exists and contains valid audit records.
• Timeout exceeded: Adjust the timeout value using the -t option if the flush operation takes longer than expected.

Integration

auparse_flush_feed can be combined with other audit-related tools, such as aureport and ausearch, for advanced audit analysis and reporting tasks.

Related Commands

• ausearch: Search for audit records in the audit system database.
• aureport: Generate audit reports based on specified criteria.
• auditctl: Configure the audit system settings and policies.